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Abstract 

Private information retrieval systems (PIRs) allow a user to extract an item from a database 
that is replicated over k > 1 servers, while satisfying various privacy constraints. We exhibit 
quantum fc-server symmetrically-private information retrieval systems (QSPIRs) that use sub- 
linear communication, do not use shared randomness among the servers, and preserve privacy 
against honest users and dishonest servers. Classically, SPIRs without shared randomness do 
not exist at all. 
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1 Introduction 

1.1 Setting 

The Private Information Retrieval problem was introduced by Chor et al. [I]. A user wants to learn 
a bit Xi from an n-bit database X X \ ... Xyi^i 

for some i £ [n] of his choice. The privacy of the user 
requires that the database server learns nothing about i, in the information-theoretic sense, and 
general efficiency considerations require the communication between the user and the database to be 
limited. Clearly, PIR can be realized by making the server send the whole database to the user. This 
takes n bits of communication and can be shown to be optimal. Better protocols exist if the database 
is replicated among some k > 2 different servers, who cannot communicate HI- Here we require 
that individual servers learn nothing about i. For k = 2, the best known scheme uses 0(n 1 ^) bits 
of communication 4.,, and asymptotically the best known fc-server uses n°( lo s lo s(' : )/ fclo s(' : )) bits |2j. 
For k > 2, no good lower bounds on the required communication are known for this setting. 

In a recent paper, we showed how to obtain quantum PIR systems (QPIR, where the parties are 
quantum computers and the communication consists of qubits) that use slightly less communication 
than the best known classical schemes JBj . In Table ^ we list the best known bounds on the 
communication complexity for small numbers of servers, in the classical as well as quantum case. 

In its standard form, PIR just protects the privacy of the user: the individual servers learn 
nothing about i. But now suppose we also want to protect the privacy of the data. That is, we don't 
want the user to learn anything about x beyond the Xi that he asks for. For example, because the 
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PIR complexity 


QPIR complexity 


k = 1 


6(n) 


9(n) 


k = 2 


0(n l l' A ) 


0(n 3 / 10 ) 


k = 3 


( n l/5.25) 




k = 4 


0(n l/7.8 7) 





Table 1: Best known bounds on the communication complexity of classical and quantum PIR 

user should pay a fee for every X{ that he learns (pay-per-view), or because the database contains 
very sensitive information. This setting of Symmetrically-Private Information Retrieval (SPIR) 
was introduced by Gertner et al. j^j. They showed that SPIR is impossible even if the user is 
honest (i.e., follows the protocol) and the servers can individually flip coins [HJ Appendix A]. This 
no-go result holds no matter how many servers and how many bits and rounds of communication 
we allow. Therefore they extended the PIR model by allowing the servers to share a random string 
that is hidden from the user, and showed how to turn any PIR scheme into a SPIR scheme with 
shared randomness among the servers, at a small extra communication cost. The resulting schemes 
are information-theoretically secure even against dishonest users, and use a number of random bits 
that is of the same order as the communication. 

The necessity of shared randomness for classical SPIR schemes is a significant drawback, since 
information-theoretic security requires new shared randomness for each application of the scheme. 
This either requires a lot of extra communication between the servers (if new shared randomness 
is generated for each new application) or much memory on the parts of the servers (if randomness 
is generated once for many applications, each server needs to store this). 

1.2 Results 

In this paper, we study the existence and efficiency of SPIR schemes in the quantum world, where 
user and servers have quantum computers and can communicate qubits. Here user privacy means 
that the states of individual servers should all be independent of i, and data privacy means that 
the concatenation of the various states of the user is independent of the bits Xj for all j ^ i. We 
can distinguish between honest-user and dishonest-user data privacy. In the first case, data privacy 
holds if the user is honest (follows the protocol). In the second case, data privacy should hold even 
if the user deviates from the protocol in any way. 

Our main result is that honest-user quantum SPIR schemes exist even in the case where the 
servers do not share any randomness. As mentioned above, such honest-user SPIRs without shared 
randomness are impossible in the classical world. This gives another example of a cryptographic 
task that can be performed with information-theoretic security in the quantum world but that 
is impossible classically (key distribution 3] is the main example of this). The communication 
complexity of our fc-server QSPIR schemes is of the same order as that of the best known classical 
/c-server PIR schemes. At first sight, one might think this trivial: just take a classical scheme, 
ensure data privacy using shared randomness among the servers, and then get rid of the shared 
randomness by letting the user entangle the messages to the servers. However, this would violate 
data privacy, as the user would now have "access" to the servers' shared randomness. In actuality 
we do something quite different, making use of the fact that the servers can add phases that multiply 
out to an overall phase. This phase allows the user to extract Xi, but nothing else. For k = 2 we 
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also give an alternative, less efficient scheme based on the properties of Bell states. 

The notion of an honest user is somewhat delicate, because clearly users cannot be trusted to 
follow the protocol in all cases. Still, there are scenarios where the assumption of a honest user is 
not unreasonable, for example in pay-per-view systems where the user accesses the system via some 
box (attached to his TV) that is sealed or otherwise protected from tampering. In this case the 
user cannot deviate from the protocol, but he can still be curious, trying to observe what goes on 
inside of his box to try to extract more information about the database. Our honest-user QSPIRs 
are perfectly secure against such users. 

It would be nice to have SPIR schemes that are secure even against dishonest users. However, 
we exhibit a large class of PIR schemes (quantum as well as classical) that can all be cheated by a 
dishonest quantum user. Our honest-user QSPIRs fall in this class and hence are not secure against 
dishonest users. Fortunately, if we are willing to allow shared randomness between the servers then 
the best classical SPIRs can easily be made secure against even dishonest quantum users: if the 
servers measure the communication in the computational basis, the scheme is equivalent to the 
classical scheme, even if the user is quantum. 

Remarks: 

(1) Often the PIR setting is generalized to t-secure PIR, where no colluding set of t servers 
together have any information about i. We focus on the t = 1 case here in order to simplify the 
presentation. 

(2) Very efficient PIR and SPIR schemes are possible under computational assumptions, even 
for k = 1 servers (see e.g. the references at (7j). In this paper we focus on information-theoretic 
security. 



2 Definitions 

We assume familiarity with the quantum model UJ. The various variants of PIR are defined below. 

Definition 1 A one-round, k-server private information retrieval (PIR) scheme with recovery 
probability 1/2 + £, query size t, and answer size a, consists of a randomized algorithm (the user), 
and k randomized algorithms Si, . . . , Sj~ (the servers), such that 

1. On input i € [n], the user produces k t-bit queries qi, ■ ■ ■ ,qk a nd sends these to the respective 
servers. The jth server sends back an a-bit string a,-. The user outputs a bit b depending on 
i,ai, . . . , Ofc, and his randomness. 

2. Recovery: For all x and i, the probability (over the user's and servers' randomness) that 
b = Xi is at least 1/2 + e. 

3. User privacy: For all j, the distribution of qj (over the user's randomness) is independent 
ofi. 

The communication complexity of the scheme is the total length of the communication between the 
user and the servers, i.e. k(t + a) bits. 

All best known PIR schemes satisfy the above definitions with e = 1/2 (i.e., no error probability), 
and we will hereafter take e = 1/2 unless mentioned otherwise. It is open whether multiple-round 
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schemes can be better than the one-round variety we defined here. For PIR schemes, we can assume 
without loss of generality that the servers are deterministic. However, we need randomized servers 
for the symmetrically-private variety: 

Definition 2 A symmetrically-private information retrieval (SPIR) scheme is a PIR scheme with 
the additional property of data privacy: the user's "view" (i.e. the concatenation of his various 
states during the protocol) does not depend on Xj, for all j ^ i. We distinguish between private- 
randomness and shared-randomness SPIR schemes, depending on whether the servers individually 
flip coins or have a shared random coin (hidden from the user). We also distinguish between honest- 
user and dishonest-user SPIR, depending on whether data privacy should hold even when the user 
deviates from the protocol. 

Definition 3 We define quantum versions QPIR and QSPIR of PIR and SPIR, respectively, in 
the obvious way: the user and the servers are quantum computers, and the communication uses 
quantum bits; user privacy means that the density matrix of each server is independent of i at all 
points in the protocol; data privacy means that the concatenation of the density matrices that the 
user has at the various points of the protocol, is independent of Xj, for all j ^ i. For QSPIR, we 
still have the distinctions of private/public-randomness and honest/dishonest-user. 

As mentioned in the introduction, Gertner et al. [HJ Appendix A] exhibited quite efficient 
shared-randomness SPIR schemes. One might think that these can be turned into SPIR schemes 
with deterministic servers as follows: the user picks a random string, sends it to each of the 
servers (along with the queries) to establish shared randomness between them, and then erases (or 
"forgets") his copy of the random string. However, this erasing of the random string by the user 
is ruled out by the definition, since the user's view includes the random string he drew. In fact, 
Gertner et al. PI Appendix A] showed that shared randomness between the servers is necessary for 
the existence of classical SPIR (even for multi-round protocols): 

Fact 1 For every k > 1, there is no k-server private-randomness SPIR scheme. 

Intuitively, the reason is that since the servers have no knowledge of i (by user privacy), their 
individual messages need to be independent of all bits of x, including Xj, to ensure data privacy. 
But since they cannot coordinate via shared randomness, their joint messages will be independent 
of the whole x as well, so the user cannot learn x%. 

Below we show that this negative result does not apply to the quantum world: using coordination 
via quantum entanglement, we can get honest-user QSPIRs without any communication or shared 
randomness between the servers at any stage of the protocol. 

3 Honest-user quantum SPIR schemes 
3.1 Honest-user QSPIRs from PIRs 

Our honest-user QSPIR schemes work on top of the PIR schemes recently developed by Beimel et 
al. [2]. These, as well as all others known, work as follows: the user picks a random string r, and 
depending on i and r, picks k queries qi, . . . ,qk G {0, 1}*. He sends these to the respective servers, 
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who respond with answers a\, . . . , a k £ {0, l} a . The user then outputs 



a i ' bj — Xi , 

3=1 

where b±, . . . ,b k £ {0, l} a are determined by i and r, and everything is modulo 2. 

We will now describe the quantum SPIR scheme. As before, the user picks r, qi, . . . , q k . In 
addition, he picks k random strings ri,...,r k £ {0, l} a . He defines r'- = rj + bj and sets up the 
following (k + l)-register state 

^=|0)ki,n)-- - |?fc,r fc ) + -i=|l)|<?i,ri) ••• |ft,rfc). 

The user keeps the first 1-qubit register to himself, and sends the other k registers to the respective 
servers. The jth server sees a random mixture of \qj,rj) and \qj,r'j). Since qj gives no information 
about i (by the user privacy of the classical PIR scheme) and each of rj and r'j is individually 
random, the server learns nothing about i. The jth server performs the following unitary mapping 



r) 



which he can do because aj only depends on qj and x. The servers then send everything back to 
the user; the overall communication is 2k(t + a) qubits, double that of the original scheme. The 
user now has the state 

Up to an insignificant global phase (— l)^-'j aj r \ this is equal to 

1 1 V fe a- b 

-/=|0)|gi,ri) ••■ \qk,r k ) + -^=|l)(-l) z -^ 1 aj ' '\qi,r[) ■ ■ ■ \q k ,r' k ) = 

1 1 

^\0)\qi,n) ■ ■ ■ \q k ,r k ) + -j=\l)(-l) x > \q u r[) ■ ■ ■ \q k , r' k ). 

The user can learn Xi from this by returning everything except the first qubit to 0, and then 
applying the Hadamard transform to the first qubit, which maps ^j|0) + -^{—\) Xi \V) — * \x{). On 
the other hand, he can learn nothing else, since the various states of the user during the protocol 
never depend on any other xj. Accordingly, we have an honest-user QSPIR scheme with recovery 
probability 1. Note that nowhere in the protocol do the servers have shared randomness: they do 
not start with it, the random strings rj, r'j are not correlated between servers, and the servers do 
not end with any shared randomness (in fact they end with nothing). 
Plugging in the best known classical PIR schemes, due to [2], gives 

Theorem 1 For every k > 2, there exists a honest-user QSPIR (without shared randomness) with 
communication complexity n°^ oglog ( fc ^ fclog ^^ . 

Slightly better complexities can be obtained for small k, as stated in the first column of Tabled 
in the introduction. For k = 1 our scheme communicates 2n qubits (just start from a 1-server 
scheme with query length 0, a± = x and b\ = e,), for k = 2 it uses 0(n x / 3 ) qubits, for k = 3 it uses 
0(nV 5 ' 25 ) q^its etc. Notice that we cannot use the (slightly better) fc-server QPIR schemes from 
the second column of Tabled since these reveal more than 1 bit about x. 
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3.2 Honest-user 2-server QSPIR with Bell states 

The QSPIR scheme of the previous section requires communication (^(n 1 / 3 ) for the case of two 
servers. Here we present a different scheme based on the Bell states. The scheme is suboptimal 
since it requires linear communication, but it makes use of some interesting properties of the Bell 
states and it could be easier to implement in the lab. 

Our scheme works for even n = 2m, but for odd n we can just add a dummy bit to x to make 
it even. It relies on three of the Bell states: 

|oo) + |ii) |Qi) + |iQ) IR N |QQ)-|ii) 

\B o) = ^ , \B 01 ) = ^ , \B l0 ) = - 
and the four Pauli matrices 

C"00 = ! n , I ' °"01 





°"10 = n 1 > °11 



We first describe our scheme for n = 2. If the user wants to know x\, he builds the following 3-qubit 
state 

-^(|0)|Boo) + |l)|B i)), 
and if he wants to know X2 he builds 

-^(|0>|Boo> + |l>|Bio>). 

He sends the second qubit to server 1 and the third to server 2, keeping the first qubit to himself. 
It is easy to see that each server always gets a completely mixed qubit, so the servers learn nothing 
about i. Both servers will now apply a XlX2 to the qubit they receive. That is, they will apply a 
phase flip if x± = 1 and a bit flip if x<i = 1. The following properties are easily verified: 

(a x <g> a x )\B 00 ) = \ B oo) 
(a x ® a x )\B 01 ) = (-lHAn) 
(a x ®a x )\B 10 ) = (-ir 2 |i?io) 

The servers then send their qubit back to the user. By the above properties, if the user wanted to 
know x±, then he now has 

^(|0)|Soo) + (-ini>|Soi», 



and if he wanted X2 he has 



-^(|0>|Sbo> + (-ini>|Bio». 



From this the user can extract the bit Xi of his choice (with probability 1) — and nothing else. Thus 
we have an honest-user 2-server QSPIR for n = 2 with 4 qubits of communication. 

To generalize to arbitrary n = 2m, the user can employ a larger state that involves m Bell 
states to extract x\. Namely, if i = 2j — 1 (1 < j < m) then he uses 

^= (\0)\B 00 )® m + |l>|B 00 >® J '- 1 |5oi)|5oo>® m - J ') , 
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and if i = 2j then he uses 

(\0)\B 00 )® m + |l>|Soo>® J '- 1 |S 10 )|Soo>® m - J ') • 

The user sends the left qubit of each of the Bells states to server 1, the right qubit of each Bell 
state to server 2, and keeps the first qubit to himself. The servers then apply a X2j _ lX2j to the jth 
qubit they receive (for all 1 < j < m) and send back the result. Using the same properties as 
before, it can easily be verified that we just get the appropriate phase-factor (— l) Xi in the |l)-part 
of the user's total state and nothing else. Thus we have a scheme that works for all n and that 
simultaneously hides i from the servers and x — x% from an honest user. In total, the scheme uses 
2n qubits of communication: m = n/2 to each server, and m = n/2 back. 

4 Dishonest-user quantum SPIR schemes 

The assumption that the user is honest (i.e., follows the protocol) is somewhat painful, since the 
servers cannot rely on this. In particular, a dishonest quantum user can extract about logn bits 
of information about x of any honest-user QSPIR where the user's final state is pure, as follows. 
Consider such a pure QSPIR scheme, with as many servers and communication as you like. From 
the user's high level perspective, this can be viewed as a unitary that maps 

|t)|0) -> 

Because of data privacy, the state \<j>i tXi ) only depends on i and X{. Therefore by one application 
of the QSPIR and some unitary post-processing, the user can erase \4>i, Xi ), mapping 

|i)|0) -» \i)\ Xi ), 

for any i or superposition of is of his choice. That is, one run of the QSPIR can be used to make one 
query to x. Van Dam |Sj has shown how one quantum query to x can be used to obtain O(logn) 
bits of information about x (in the information-theoretic sense that is, not necessarily logn specific 
database-bits Xj). Accordingly, any pure QSPIR that is secure against an honest user will leak at 
least J) (logn) bits of information about re to a cheating user. This includes our schemes from the 
previous section. Even worse, the servers cannot even detect whether the user cheats, because they 
will have the same state in the honest scheme as well as in the cheating scheme. 

How to protect against dishonest quantum users? In fact we can just use a classical SPIR that 
is secure against dishonest users (of course, this will be a shared-randomness scheme again). If 
we require the servers to measure what they receive in the computational basis, then a dishonest 
quantum user cannot extract more information than a classical dishonest user — that is, nothing 
except one X\. 

5 Conclusion 

We have shown that the best known PIR schemes can be turned into quantum PIR schemes that 
are symmetrically private with respect to a honest user, i.e., except for the bit Xi that he asks for, 
the honest user receives no information whatsoever about the database x. Rather interestingly, 
the best known quantum PIR schemes use polynomially less communication than the best known 
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classical schemes (Table but our PIR-to-QSPIR reduction does not seem to work starting from 
a quantum PIR system. We leave it as an open question whether the communication complexity of 
QSPIR schemes can be significantly reduced, either based on the QPIR schemes of [5] or via some 
other method. 
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